Posts [ 5 ]

Topic: acts_as_authenticated secuirty question

I'm using the RESTful acts_as_authenticated and have a question about attr_accessible.Any fields you want to be changeable by the user you add to attr_accessible such as first_name, last_name etc. I also have a boolean called is_admin which is false by default.

At the moment if a user is an admin and they create a new user they get shown a checkbox for the is_admin field. The is_admin boolean never gets set (of course) unless I put it in the attr_accessible list. Is this safe?

I am assuming not because any user could create a custom request which would make them an admin?

The one solution I can think of at the moment is to protect is_admin in the controller by always setting params[:user][:is_admin] to false unless the current user is an admin themself.

Re: acts_as_authenticated secuirty question

I haven't had any experience with acts_as_authenticated, but I think this is probably a more general model question. You want to prevent mass assignment to is_admin, so that a user filling out the form can't pass is_admin=1 as a parameter and turn themselves into an administrator. So in your model, you should do: